Potential Persistence Via COM Search Order Hijacking
Detects potential COM object hijacking leveraging the COM Search Order
Sigma rule (View on GitHub)
1title: Potential Persistence Via COM Search Order Hijacking
2id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
3status: experimental
4description: Detects potential COM object hijacking leveraging the COM Search Order
5references:
6 - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
7author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
8date: 2020/04/14
9modified: 2023/09/28
10tags:
11 - attack.persistence
12 - attack.t1546.015
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection: # Detect new COM servers in the user hive
18 TargetObject|contains: '\CLSID\'
19 TargetObject|endswith: '\InprocServer32\(Default)'
20 filter_main_generic:
21 Details|contains: # Exclude privileged directories and observed FPs
22 - '%%systemroot%%\system32\'
23 - '%%systemroot%%\SysWow64\'
24 filter_main_onedrive:
25 Details|contains:
26 # Related To OneDrive
27 - '\AppData\Local\Microsoft\OneDrive\'
28 - '\FileCoAuthLib64.dll'
29 - '\FileSyncShell64.dll'
30 - '\FileSyncApi64.dll'
31 filter_main_health_service:
32 Image|endswith: ':\WINDOWS\system32\SecurityHealthService.exe'
33 filter_main_teams:
34 Details|contains|all:
35 - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
36 - '\Microsoft.Teams.AddinLoader.dll'
37 filter_main_dropbox:
38 Details|contains|all:
39 - '\AppData\Roaming\Dropbox\'
40 - '\DropboxExt64.*.dll'
41 filter_main_trend_micro:
42 Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce
43 filter_main_update:
44 Image|endswith:
45 - ':\WINDOWS\system32\wuauclt.exe'
46 - ':\WINDOWS\system32\svchost.exe'
47 filter_main_defender:
48 Image|contains:
49 - ':\ProgramData\Microsoft\Windows Defender\Platform\'
50 - ':\Program Files\Windows Defender\'
51 Image|endswith: '\MsMpEng.exe'
52 filter_main_nvidia:
53 Details|contains: '\FileRepository\nvmdi.inf'
54 filter_main_edge:
55 Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe'
56 filter_main_dx:
57 Image|endswith: ':\WINDOWS\SYSTEM32\dxdiag.exe'
58 filter_main_python:
59 Details|endswith:
60 - ':\Windows\pyshellext.amd64.dll'
61 - ':\Windows\pyshellext.dll'
62 filter_main_bonjourlib:
63 Details|endswith:
64 - ':\Windows\system32\dnssdX.dll'
65 - ':\Windows\SysWOW64\dnssdX.dll'
66 filter_main_printextensionmanager:
67 Details|endswith: ':\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
68 filter_main_programfiles:
69 Details|contains:
70 - ':\Program Files\'
71 - ':\Program Files (x86)\'
72 filter_main_programdata:
73 Details|contains: ':\ProgramData\Microsoft\'
74 filter_main_gameservice:
75 Details|contains: ':\WINDOWS\system32\GamingServicesProxy.dll'
76 filter_main_poqexec:
77 Image|endswith: ':\Windows\System32\poqexec.exe'
78 Details|contains: ':\Windows\System32\Autopilot.dll'
79 filter_main_sec_health_svc:
80 Image|endswith: ':\Windows\system32\SecurityHealthService.exe'
81 Details|contains: ':\Windows\System32\SecurityHealth'
82 filter_main_inprocserver:
83 Image|endswith:
84 - ':\Windows\System32\poqexec.exe'
85 - ':\Windows\System32\regsvr32.exe'
86 TargetObject|endswith: '\InProcServer32\(Default)'
87 condition: selection and not 1 of filter_main_*
88falsepositives:
89 - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
90level: medium
References
Related rules
- Suspicious GetTypeFromCLSID ShellExecute
- COM Hijacking via TreatAs
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Using DebugPath
- Potential Persistence Via Scrobj.dll COM Hijacking